Sr. Consultant and Security Practice Leader Larry LaBas shares some of the best practices he recommends to Taos clients in building and maintaining a robust security posture.

3: Beyond IaaS: “As a Service” Isn’t Just for Platforms

Organizations often don’t consider taking “as a service” beyond platforms and Infrastructure as a Service, but there is so much more that the security and automation benefits of a-a-S can offer to other areas such as applications, data, and processes.

From a security standpoint, going beyond IaaS into other areas gives you consistency across the whole company: everything is repeatable and everything can be audited. Automating basic tasks and building in repeatability lowers costs and simplifies systems, and automating anything that can be automated reduces manual toil and risk from errors, while simultaneously allowing the company to be set up for any incident review or compliance needs.

There are clear benefits to this risk management and resilience. When you take a manual control and turn it into a system control, this reduces risk for errors and mistakes caused by the human element. This also increases the ability to prevent or recover from an incident, because companies can redeploy faster with an automated system. Optimizing designs, infrastructure, and code reduces complexity and increases speed.

Another benefit to taking a-a-S to other areas of the company that might not be readily apparent is release from vendor lock-in. By moving to standard infrastructure as code, the organization could, for example, move Terraform modules between AWS or GCP with only minor changes.

5 Steps to Get There

  1. To get the organization beyond IaaS and into a-a-S for other areas, the first step is to assess the current business state, technology state, and security state. If you don’t understand what you have and what’s going on, then you may have risks that need to be mitigated. This is why the current state of your security posture, technology, automation, and manual processes is key. You can try to do this on your own or bring in an expert. A partner like Taos can support with a security assessment to provide you with a view of your strategy, people, skills, technology, processes, and policies wrapped into an easy-to-understand report. But either way, you need a clear view of this status to give you a foundation for planning. 
  2. The second step is to assess business and tech requirements. Take your security posture and socialize it throughout the business, getting feedback and input from different units at a mid-to-high level of granularity as to what’s important to them. If you don’t work with a professional to support this assessment, keep in mind the often overlooked areas outside of IT and Engineering for input, such as Product Management, Marketing, HR, and Sales. All of these departments have business needs that should be met by designs to enable their processes rather than restrict them. Sales especially may feel pressured by customers and quotas to move faster than current security policies allow or to share data with customers that is either missing content or feedback from other departments, or, in the worst case scenario, should ideally not leave the company at all.
  3. Third, design a future state that meets the requirements sourced in Step #2, while moving forward from the current state sourced in Step #1. Take all the policies, strategy, and feedback to create a vision that leads to an actionable plan. See where you can remove manual processes and add automation. One example is the onboarding/offboarding processes for new hires or contractors; another is the integration of sales processes into CRMs and sales/marketing platforms; yet another is data classification and protection for product management teams. Start with the security team for design, then socialize a draft of the plan with leadership for feedback. Iterate into a formal plan, then share it with all departments for their feedback. The key here is transparency. The company as a whole needs to know the roadmap, the reasoning, and the strategy. We talk a lot here about needing leadership buy-in, but for a-a-S at this scale to work, you need inter-departmental buy-in. For instance, if a department has a system that’s working for them, look for ways to make it more secure as opposed to changing it entirely. And of course, as part of your design, don’t forget the basics of a strong security foundation, such as regular back-ups and process monitoring.
  4. Next, integrate security throughout the process. Most company security departments do not involve other departments routinely, which is why Step #4 is vital. Creating a channel for bi-directional communication can greatly increase the robustness of your security posture. You can involve departments through a security champions program to help move your strategy as a company forward and also to get feedback and suggestions. In a security champions program, individuals from different departments are involved in security planning and meet regularly to give their reviews, suggestions, and feedback. Getting various viewpoints in the organization helps to foster acceptance of the programs and the buy-in necessary to success. They also help to ease the communication burden on the security team to the rest of the company. Feedback comes in regularly to the security team as opposed to a constant cycle of sending information out with no response.
  5. The fifth and final step is to implement, review, redesign, and repeat (CI/CD). Put your new automated processes into action and conduct regular reviews with feedback. A review of your security posture should be done yearly at least, quarterly at best. This should include a review of all automated and manual processes and be followed by the same design and feedback cycles described above involving the business units. An additional benefit to adopting this fifth step of CI/CD is the capacity to adjust systems and policies as new threats appear in the threat landscape or changes occur to the business overall.

What’s next?

Between the integration of security and business departments and the optimization of automation, this will naturally set up a company up to achieve the next step in becoming a cyber resilient organization: Cross-Company Collaboration. Our next topic will look at whether the processes between departments are working well together and some clear steps to improve the systems.